Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Querying several resources via API with invalid resourceVersion query parameter causes internal server error #101350

Closed
matusf opened this issue Apr 22, 2021 · 11 comments
Closed

Querying several resources via API with invalid resourceVersion query parameter causes internal server error #101350

matusf opened this issue Apr 22, 2021 · 11 comments
Assignees
@pacoxu
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@matusf
Copy link

matusf commented Apr 22, 2021
edited
Loading

What happened:

Hello @viralpoetry and I were fuzzing the k8s (via openapi-fuzzer) and found out following bug. Querying several resources via API with invalid resourceVersion query parameter causes internal server error. Affected resources:

  • api-v1-namespaces-{namespace}-configmaps/
  • api-v1-namespaces-{namespace}-endpoints/
  • api-v1-namespaces-{namespace}-events/
  • api-v1-namespaces-{namespace}-limitranges/
  • api-v1-namespaces-{namespace}-persistentvolumeclaims/
  • api-v1-namespaces-{namespace}-pods/
  • api-v1-namespaces-{namespace}-podtemplates/
  • api-v1-namespaces-{namespace}-replicationcontrollers/
  • api-v1-namespaces-{namespace}-resourcequotas/
  • api-v1-namespaces-{namespace}-secrets/
  • api-v1-namespaces-{namespace}-serviceaccounts/
  • api-v1-namespaces-{namespace}-services/

What you expected to happen:

Response with non-500 HTTP status code

How to reproduce it (as minimally and precisely as possible):

We were fuzzing k8s locally via minikube.

  1. start minukube
minikube start --driver virtualbox
  1. install ca certificates
sudo cp ~/.minikube/ca.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
  1. get k8s IP address
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'
  1. add the IP to /etc/hosts as minikubeca
  2. get access token and export it as token
kubectl create clusterrolebinding permissive-binding \
  --clusterrole=cluster-admin \
  --user=admin \
  --user=kubelet \
  --group=system:serviceaccounts

kubectl create serviceaccount openapifuzz
kubectl get serviceaccounts openapifuzz -o json | jq -r .secrets[].name
kubectl get secret openapifuzz-token-sn9qm -o json | jq -r .data.token
 export token=<retrieved-token>
  1. send requests
# configmaps
curl -X GET 'https://minikubeca:8443/api/v1/namespaces/x/configmaps?resourceVersion=x' -H "Authorization: Bearer $token"

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# endpoints
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/endpoints?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# events
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x?events&resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# limit ranges
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/limitranges?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# persistent volume claims
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/persistentvolumeclaims?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# pods
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/pods?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# pod templates
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/podtemplates?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# replication controllers
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/replicationcontrollers?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# resource quotas
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/resourcequotas?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# secrets
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/secrets?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# service accounts
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/serviceaccounts?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

# services
curl -X GET -H "authorization: bearer $token" 'https://minikubeca:8443/api/v1/namespaces/x/services?resourceVersion=x'
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "resourceVersion: Invalid value: \"x\": strconv.ParseUint: parsing \"x\": invalid syntax",
  "code": 500
}

Environment:

  • Kubernetes version (use kubectl version):
clientVersion:
  buildDate: "2021-04-08T16:31:21Z"
  compiler: gc
  gitCommit: cb303e613a121a29364f75cc67d3d580833a7479
  gitTreeState: clean
  gitVersion: v1.21.0
  goVersion: go1.16.1
  major: "1"
  minor: "21"
  platform: linux/amd64
serverVersion:
  buildDate: "2021-01-13T13:20:00Z"
  compiler: gc
  gitCommit: faecb196815e248d3ecfb03c680a4507229c2a56
  gitTreeState: clean
  gitVersion: v1.20.2
  goVersion: go1.15.5
  major: "1"
  minor: "20"
  platform: linux/amd64
  • Cloud provider or hardware configuration: minikube with virtual-box driver
  • OS (e.g: cat /etc/os-release): Ubuntu 18.04.5 LTS (bionic)
  • Kernel (e.g. uname -a): Linux pine 4.15.0-140-generic Refactor controller manager. #144-Ubuntu SMP Fri Mar 19 14:12:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools: downloaded precompiled binary
  • minikube version: v1.19.0 (commit: 15cede53bdc5fe242228853e737333b09d4336b5)
@matusf matusf added the kind/bug Categorizes issue or PR as related to a bug. label Apr 22, 2021
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 22, 2021
@matusf matusf changed the title Listing configmaps via API with invalid resourceVersion query parameter causes internal server error Querying several resources via API with invalid resourceVersion query parameter causes internal server error Apr 22, 2021
@matusf
Copy link
Author

matusf commented Apr 22, 2021

/sig api-machinery

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 22, 2021
@pacoxu
Copy link
Member

pacoxu commented Apr 22, 2021
edited
Loading

IMO, it should return something like

https://127.0.0.1:6443/api/v1/pods?timeoutSeconds=0.1s
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "strconv.ParseInt: parsing \"0.1s\": invalid syntax",
  "reason": "BadRequest",
  "code": 400
}

/assign

kubernetes/staging/src/k8s.io/apiserver/pkg/endpoints/apiserver_test.go

Lines 1165 to 1168 in ea07644

// {"/simple/foo?export=<invalid>", http.MethodGet}, TODO: there is no invalid bool in conversion. Should we be more strict?
// {"/simple/foo?resourceVersion=<invalid>", http.MethodGet}, TODO: there is no invalid resourceVersion. Should we be more strict?
// {"/withoptions?labelSelector=<invalid>", http.MethodGet}, TODO: SimpleGetOptions is always valid. Add more validation that can fail.
} {

There is no invalid resourceVersion. Should we be more strict?

@pacoxu
Copy link
Member

pacoxu commented Apr 22, 2021

per #46844 which fixed #39730, cc @sttts

@pacoxu pacoxu mentioned this issue Apr 22, 2021
Closed
@fedebongio
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 22, 2021
@pacoxu
Copy link
Member

pacoxu commented Apr 23, 2021
edited
Loading

Some comments from the PR: #101368 (comment).

kubernetes/staging/src/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go

Lines 47 to 50 in ea07644

// resourceVersion sets a constraint on what resource versions a request may be served from.
// See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for
// details.
ResourceVersion string

As the code comment shows, https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions

Resource versions must be treated as opaque by clients and passed unmodified back to the server.

@yliaog
Copy link
Contributor

yliaog commented Apr 23, 2021

the error should come from here:

kubernetes/staging/src/k8s.io/apiserver/pkg/storage/etcd3/api_object_versioner.go

Line 91 in 2115852

func (a APIObjectVersioner) ParseResourceVersion(resourceVersion string) (uint64, error) {

which is correct, as it is converting/validating the resourceVersion for etcd.

I think the question is whether it should return 500 or 400.

@pacoxu
Copy link
Member

pacoxu commented Apr 25, 2021

I updated #101368.

@k8s-triage-robot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 26, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 25, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pacoxu pacoxu

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

change http code to 400 for invalid resourceVersion for GET rest apis pacoxu/kubernetes
6 participants
@pacoxu @fedebongio @matusf @k8s-ci-robot @yliaog @k8s-triage-robot